RE: [gnso-ff-pdp-may08] The need for facts
- To: mike@xxxxxxxxxx
- Subject: RE: [gnso-ff-pdp-may08] The need for facts
- From: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 13 Jul 2008 14:13:35 -0700
#1) what facts would we need in order to understand its scale and scope?
1a. How many IP addresses are known to be participating as fastflux nodes?
1b. How many domains names use fastflux?
1c. How many unique name servers support fastflux domains?
1d. What fraction of those unique name servers are themselves served on
1e. What registrars or registration service providers have been used to
create fastflux domains?
1f. If notified that a customer's domain is fast fluxing, what (if anything)
will a registrar or registration service provider do? How long does it
take them to do it? If they do nothing, why? If they *do* do something,
what do they do?
1g. If notification is made to ISPs, will they pass those notifications
along to the infected customers? If so, do the customers, once notified,
appear to be remediated (or at least cease to be seen as fastflux nodes?)
#2) where could we get those facts?
2a. Accept a feed of fastflux domain name candidates, and verify the IP
addresses on which they live.
2b. From the 2a list, extract name servers and registrars/registration
2c. Contact the registrar/registration service provider with the observed
data, and note their response (including the time required to make
those reports, and the time required for the registrar/registration
service provider to respond/react). Truncating the right tail of the
response window at some reasonable time period may be desirable.
2d. Track individual fastflux IP's over time, including noting time of
#3) are the statistics being collected now? how well -- is the data credible?
3. I'm a big believer of data replication and validation. I'd encourage folks
who feel likewise to participate in measuring this phenomena. Replication
brings validity and trust.
#4) if they're being collected, is the person/organization willing to
4. In the "everyone a gardner/hunter, everyone a chef" model, that's up
to each gardner/hunter chef. :-)
#5) if they're not being collected now, what's the best place to get
#them and is it worth it to go after them?
WRT to the "is it worth it to go after them," Am I detecting backsliding
from the earlier "we like facts/data?" :-;
Data collection isn't completely painless, but it doesn't need to be
particularly painFUL, either.
#at this stage of the game, i'm yearning more for reliable information
#*sources* than raw data.
Be paranoid. Trust no one. A thousand eyes are better than one (or even
two :-) ). Information you collect yourself is the best information of all.
#reliable/public/published methods of analyzing that data to help us
#understand the breadth and depth of the problems we're looking at.
The nice thing about fastflux is that it is "self-exposing" once you
know where to look. Happy to start suggesting relevant rocks.
#one of the things that i'm pondering is the need for some sort of
#collaboration between us (ICANN) and some of the other institutions
#that are out there.
Collaboration is very good, as is your list. At the risk of stating the
obvious, I'd also suggest the APWG be formally on that list, and MAAWG.
The Educause Security Task Force is actually the Educause/Internet2
(or Internet2/Educause) Security Task force, and that's yet another
activity I'm involved with as part of my $DAYJOB. :-)
#sorry about the US-centric list, this is just a list that comes to
#mind, left over from the days when i worked for a living.
Terena is one technically oriented possibility from Europe.
Since we're talking about cybercrime, I also wonder about law
enforcement agencies, such as Interpol.
Would vendors also provide a useful source of data?
#thanks Joe for the speedy reply, even though it did sorta make my
#eyeballs peel. :-)
De nada. :-) Happy to peel eyeballs anytime. :-)
Disclaimer: all opinions strictly my own.